This document explains the advantages of the use of Wi-Fi Protected Access 2 (WPA 2) in a Wireless LAN (WLAN). The document provides two configuration examples on how to implement WPA 2 on a WLAN. The first example shows how to configure WPA 2 in enterprise mode, and the second example configures WPA 2 in personal mode.

Note: The Aironet CB21AG and PI21AG client adapter software is incompatible with other Aironet client adapter software. You must use the ADU with CB21AG and PI21AG cards, and you must use the Aironet Client Utility (ACU) all other Aironet client adapters. Refer to Installing the Client Adapter for more information on how to install the CB21AG card and ADU.

Note: This document uses an AP/bridge that has an integrated antenna. If you use an AP/bridge which requires an external antenna, ensure that the antennas are connected to the AP/bridge. Otherwise, the AP/bridge is unable to connect to the wireless network. Certain AP/bridge models come with integrated antennas, whereas others need an external antenna for general operation. For information on the AP/bridge models that come with internal or external antennas, refer to the ordering guide/product guide of the appropriate device.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

WPA is a standard-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs. WPA provides enhanced data protection and access control for WLAN systems. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and small office, home office (SOHO) environments.

WPA 2 is the next generation of Wi-Fi security. WPA 2 is the Wi-Fi Alliance interoperable implementation of the ratified IEEE 802.11i standard. WPA 2 implements the National Institute of Standards and Technology (NIST)-recommended Advanced Encryption Standard (AES) encryption algorithm with the use of Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES Counter Mode is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key. The CCMP algorithm produces a message integrity code (MIC) that provides data origin authentication and data integrity for the wireless frame.

Note: CCMP is also referred to as CBC-MAC.

WPA 2 offers a higher level of security than WPA because AES offers stronger encryption than Temporal Key Integrity Protocol (TKIP). TKIP is the encryption algorithm that WPA uses. WPA 2 creates fresh session keys on every association. The encryption keys that are used for each client on the network are unique and specific to that client. Ultimately, every packet that is sent over the air is encrypted with a unique key. Security is enhanced with the use of a new and unique encryption key because there is no key reuse. WPA is still considered secure and TKIP has not been broken. However, Cisco recommends that customers transition to WPA 2 as soon as possible.

WPA and WPA 2 both support two modes of operation:

Enterprise mode

Personal mode

This document discusses the implementation of these two modes with WPA 2.

The term enterprise mode refers to products that are tested to be interoperable in both Pre-Shared Key (PSK) and IEEE 802.1x modes of operation for authentication. The 802.1x is considered to be more secure than any of the legacy authentication frameworks because of its flexibility in support of a variety of authentication mechanisms and stronger encryption algorithms. WPA 2 in enterprise mode performs authentication in two phases. Configuration of open authentication occurs in the first phase. The second phase is 802.1x authentication with one of the EAP methods. AES provides the encryption mechanism.

In enterprise mode, clients and authentication servers authenticate each other with the use of an EAP authentication method, and the client and server generate a Pairwise Master Key (PMK). With WPA 2, the server generates the PMK dynamically and passes the PMK to the AP.

This section discusses the configuration that is necessary to implement WPA 2 in the enterprise mode of operation.

In this setup, an Aironet 1310G AP/Bridge that runs Cisco Lightweight Extensible Authentication Protocol (LEAP) authenticates a user with a WPA 2-compatible client adapter. Key management occurs with the use of WPA 2, on which AES-CCMP encryption is configured. The AP is configured as a local RADIUS server that runs LEAP authentication. You must configure the client adapter and the AP in order to implement this setup. The sections Configure the AP and Configure the Client Adapter show the configuration on the AP and the client adapter.

A combination of both Cisco and third-party clients—Choose both Network EAP and Open Authentication with EAP.

Scroll down the Security SSID Manager window to the Authenticated Key Management area and complete these steps:

From the Key Management menu, choose Mandatory.

Check the WPA check box on the right.

Click Apply.

Note: The definition of VLANs is optional. If you define VLANs, client devices that associate with use of this SSID are grouped into the VLAN. Refer to Configuring VLANs for more information on how to implement VLANs.

Choose Security > Local Radius Server and complete these steps:

Click the General Set-Up tab located at the top of the window.

Check the LEAP check box and click Apply.

In the Network Access Servers area, define the IP address and shared secret of the RADIUS server.

For the local RADIUS server, use the IP address of the AP.

Click Apply.

Scroll down the General Set-Up window to the Individual Users area and define the individual users.

The definition of the user groups is optional.

This configuration defines a user with the name "user1" and a password. Also, the configuration selects NT hash for the password. After completion of the procedure in this section, the AP is ready to accept authentication requests from clients. The next step is to configure the client adapter.

This action enables either WPA or WPA 2, whichever you configure on the AP.

Click Configure in order to define LEAP settings.

Choose the appropriate Username and Password Settings, based on the requirements, and click OK.

This configuration chooses the option Automatically Prompt for User Name and Password. This option enables you to manually enter the user name and password when LEAP authentication takes place.

Click OK in order to exit the Profile Management window.

Click Activate in order to enable this profile on the client adapter.

Note: If you use Microsoft Wireless Zero Configuration (WZC) to configure the client adapter, by default, WPA 2 is not available with WZC. So, in order to allow WZC-enabled clients to run WPA 2, you must install a hot fix for Microsoft Windows XP. Refer to the Microsoft Download Center - Update for Windows XP (KB893357) for the installation.

The term personal mode refers to products that are tested to be interoperable in the PSK-only mode of operation for authentication. This mode requires manual configuration of a PSK on the AP and clients. PSK authenticates users via a password, or identification code, on both the client station and the AP. No authentication server is necessary. A client can gain access to the network only if the client password matches the AP password. The password also provides the keying material that TKIP or AES uses to generate an encryption key for the encryption of the data packets. Personal mode is targeted to SOHO environments and is not considered secure for enterprise environments. This section provides the configuration that you need to implement WPA 2 in the personal mode of operation.

In this setup, a user with a WPA 2-compatible client adapter authenticates to an Aironet 1310G AP/Bridge. Key management occurs with the use of WPA 2 PSK, with AES-CCMP encryption configured. The sections Configure the AP and Configure the Client Adapter show the configuration on the AP and the client adapter.